company is posting job applicants on their website, with contact information

by Ask a Manager on January 16, 2014

Share on Facebook3Tweet about this on Twitter9Share on LinkedIn0Share on Google+0Share on TumblrDigg thisShare on StumbleUpon0Print this page

A reader writes:

I recently applied for a job that was posted on the company’s website. I applied electronically using their online form. I noticed my full name and cover letter are now posted on their public website, along with similar information from many other applicants. For those applicants who included contact info such as address or phone number, that has been posted on the website as well.

Screen Shot 2014-01-16 at 6.30.59 PMThere’s a section of their website labeled “Applications” in which you can search by type of position, then click on anyone’s name and see their cover letter. I attached a screen shot. The website doesn’t say anywhere what this is for or provide any explanation for it. 

Can they do this?

Whoa. While they can do this in a legal sense, they very much should not do this. And it’s so unusual that I have to think it’s a mistake — that what you’re seeing is their internal applicant tracking system and they don’t realize that it’s accidentally been made available to the public.

I would contact them and say, “I’m not sure if you’re aware, but a long list of people who have applied for jobs with you is currently displaying on your website, along with applicants’ private contact information and cover letters. It’s showing up at (URL). I suspect this was a technical error, but as one of the applicants whose information is displayed there, is there a way to get it removed?”

{ 160 comments… read them below or add one }

Jubilance January 16, 2014 at 11:18 am

Wow.

Sounds like it’s a page that should be on the company intranet/behind a firewall where only HR can see it, but they had a coding issue. I’d definitely bring it to their attention immediately.

Reply

Adam January 16, 2014 at 11:36 am

Gotta be. The site’s too blocky and admin like to be something to show on a public browser. Must be a bug somewhere. They’ll probably be really embarrassed when they find out.

Reply

A Jane January 16, 2014 at 12:13 pm

The website seems so old, I wouldn’t be surprised if there wasn’t a website administrator or someone who understood the back end.

Reply

KC January 16, 2014 at 11:19 am

Yiiiiikes. Yeah, I’d do what Alison suggested and contact them about it (it HAS to be in error).

Reply

Gene January 16, 2014 at 11:24 am

AAM, you should probably remove the part of the url you show. I found the website with little trouble.

Reply

Ask a Manager January 16, 2014 at 11:29 am

I’m confused — in the graphic? I don’t see any URL there! Where should I be looking?

Reply

Gene January 16, 2014 at 11:33 am

Second paragraph, inside the parens.

Reply

Ask a Manager January 16, 2014 at 11:34 am

Got it. I’m amazed you were able to locate the site from that!

Reply

Gene January 16, 2014 at 11:38 am

Between the part of the url and the info in the image, it was easy, probably took me under 2 minutes. And the IT person in that agency (I’m not one, just good at searching) should be slapped.

Reply

The Wall Of Creativity January 16, 2014 at 11:49 am

I can find the page just from words in the image. Unfortunately, you probably need to take the image down. Still, at least I now know we’re not talking about Operation Smile.

Reply

MW January 16, 2014 at 11:52 am

+1

I thought, “I hope this isn’t Operation Smile,” myself!

Reply

A Bug! January 16, 2014 at 12:00 pm

Yeah, the image provides sufficient search terms to pinpoint the site as the only Google search result.

Reply

ThursdaysGeek January 16, 2014 at 12:08 pm

I was trying to figure out how just those words would be enough. But you’re right. I found it too. Right now, the spam postings cover all of the first page and part of the second, and they started a couple of days ago, so this was found by the spammers before the AAM posting. I don’t think taking down the image will help, because it probably didn’t hurt.

Reply

William January 16, 2014 at 12:12 pm

Yeah, I had no trouble finding the site either, just from the wording in the screenshot.

Reply

KLH January 16, 2014 at 1:18 pm

I love how casual Operation Smile bashing is now a thing here. May their infamy extend across the galaxy and never attract a desperate applicant again.

Anne January 17, 2014 at 5:18 am

Why Operation Smile?

Reply

The Wall of Creativity January 17, 2014 at 6:03 am
Steve January 16, 2014 at 11:51 am

I intially thought “there’s no way I’ll get a hit on that minimal info.” Zoinks, there it was. Then I thought “there’s nothing here that’s all that confidential other than applicants names.” I thought maybe there were some transparency regulations that required them to post applicants names. Until I realized I had just clicked on some poor folks who hadn’t bothered to write any kind of cover letter – a few more clicks and there were people’s names, addresses, phones, work history, etc.

I actually clicked on the “email us” link and reported that even though I’m not an applicant I felt that their website might have some privacy issues that they needed to address.

Reply

A Bug! January 16, 2014 at 12:18 pm

I think what gets me most is that it’s the best applicants who are most compromised by this error, because those are the people who bothered to write useful cover letters.

Reply

Anonymous January 16, 2014 at 11:40 am

This bit:

“There’s a section of their website (at …XXXXX)”

was enough for me to find the site

Reply

Ughh January 16, 2014 at 11:25 am

Yeah I really hope it’s an error. I would remove my application and let them know and wait for it to be fixed. If it’s not an error I would not apply.

Reply

me January 16, 2014 at 11:46 am

Good chance to check out the competition. ; )

Reply

Elizabeth West January 16, 2014 at 11:49 am

Holy CRAP. Yes, tell them immediately. I doubt this was intentional.

Reply

Ann O'Nemity January 16, 2014 at 11:52 am

Unfortunately, that private contact information has probably already been compromised.

Reply

fposte January 16, 2014 at 11:55 am

There’s also been a rash of spam postings on the board today, so clearly the vulnerability has been exploited. I’m another saying it’s best just to take the image down ASAP.

Reply

A Bug! January 16, 2014 at 12:05 pm

I’m wondering if it’s set up so that the form results just get submitted to an e-mail address, and that e-mail address has been picked up by spammers.

Reply

ThursdaysGeek January 16, 2014 at 12:11 pm

The spam postings started on 1/13, so the page had been discovered before this AAM posting.

Reply

fposte January 16, 2014 at 1:45 pm

Ah. I never know what day it actually is. I at least feel less complicit now.

Reply

belle January 16, 2014 at 11:57 am

Yeah even with the little information still showing I was able to find the site. The page looks overrun by spam, but at least personal information is gone.

Reply

belle January 16, 2014 at 11:59 am

Actually, names etc are on page 2.
Yeah, i’d take the image down.

Reply

MW January 16, 2014 at 12:00 pm

+1

I admit I took it as a challenge to figure out what group this was. I was just about to post something similar. Viewing the application gives quite the text box. It is an improvement over the personal info. I hope the company notifies applicants of the breach.

Reply

Ask a Manager January 16, 2014 at 12:00 pm

I redacted the remaining potentially identifying thing that I’d previously left in the graphic (a very generic applicant name). Solved?

(I was so excited to get to have a graphic for once!)

Reply

MW January 16, 2014 at 12:02 pm

Alison – I’ll email you what I used to google what I think the company is. If it is correct, I do suggest you take the graphic down.

Reply

MW January 16, 2014 at 12:05 pm

I used FB to message you. I didn’t want to leave the phrases in the comments if I’m correct.

And this is quite the lesson in online privacy and how easy it is to locate something. I’m shocked.

Reply

Penny January 16, 2014 at 6:26 pm

This Christmas, I was sending cards for the first time and realized I didn’t have addresses for some friends and family members so I figured, let me try Googling their names and city (or at least the nearest city I know). Yeah, got all their names, people they may know (usually their spouses or children), age, address, previous cities lived in, a map and image of their house. I was able to confirm it was them by recognizing the house. I was shocked how much I could find with a simple search! A little scary!

Reply

The Wall of Creativity January 16, 2014 at 12:03 pm

I needed the applicant name to find the page. Without the applicant name, I looked through 4 pages of search results and found nothing.

Reply

MW January 16, 2014 at 12:06 pm

my google search had it as the top result, and only 5 results. All to the same org.

Reply

belle January 16, 2014 at 12:08 pm

using the first few dates and view application will probably get you the page.

Reply

A Bug! January 16, 2014 at 12:15 pm

I didn’t even need to use a date. The three sets of words in the top left, with quotation marks as appropriate, were enough to bring it up for me. But again, I don’t know how to ensure that my previous searches aren’t tainting my current results; I used a new tab but I didn’t close out Chrome entirely.

Reply

Laura January 16, 2014 at 12:40 pm

I just tried it as you said and found it – and I hadn’t before. Yikes!

Reply

A Bug! January 16, 2014 at 12:06 pm

I hate to be a downer when you’re so excited, but I took the applicant’s name out of my search terms and that page is still the only result that comes up. I don’t know if my prior searches are tainting the current results, but I would expect more results to have come up even if that were the case.

Reply

belle January 16, 2014 at 12:08 pm

+1

Reply

ThursdaysGeek January 16, 2014 at 12:13 pm

Taking down the graphic was probably wise, but the spam started days before you posted this, so don’t feel too bad.

Reply

kdizzle January 16, 2014 at 12:14 pm

Eeek! I also just found the webpage with only the information in the picture.

Reply

J January 16, 2014 at 12:27 pm

I too was able to find the web page using only the words in the graphic. A Google search returned what I was looking for on the first page of results.

Reply

A Nonny Moose January 16, 2014 at 12:35 pm

Yep, I also easily found the site with just the information left in the graphic. Maybe redact the dates, too? But, the safest thing would be to take it down.

Reply

Ask a Manager January 16, 2014 at 12:28 pm

I redacted some of the instructions. Hopefully that solves it.

Reply

A Bug! January 16, 2014 at 12:29 pm

As far as I can tell, that does the trick.

Reply

S.K. January 16, 2014 at 12:40 pm

I was still able to find it (I hadn’t looked before, so my search results weren’t tainted). I had to try a few times but if someone is actually trying, the image above is still enough, even as out-of-date as it is.

On the other hand, I doubt it matters much at this stage. The barn door’s been open for awhile.

Reply

TK January 16, 2014 at 1:00 pm

I did searches using just information that’s still there, and found it on my second try (after adding more words and putting things in quotes).

Reply

TK January 16, 2014 at 1:00 pm

Actually, my third try. The first time I didn’t use the dates. I’m pretty sure the dates are what’ll get you there.

Reply

Elizabeth January 16, 2014 at 1:28 pm

Yeah, adding the dates allowed me to find it.

Reply

Laura January 16, 2014 at 12:41 pm

I was able to find it Googling just the various heading/instruction phrases, in quotes, as was said up-thread. :|

I’d bet the killer is the phrase immediately above the drop-down about filtering – how likely is that to be on public web pages?

Reply

Laura January 16, 2014 at 12:41 pm

LOL. Never mind, that was the one you pulled, after I did the search. Sorry!

Reply

You Can't Hide Online January 16, 2014 at 1:23 pm

Still was able to find it with minimal Google-fu…

A text search using all the column labels and other text on the page brought me there in about 30 seconds. Third hit on the list of results.

Reply

Indeed January 16, 2014 at 2:24 pm

It did. Taking the dates out of the graphic would probably help, but they definitely f’ed up their share point site.

Reply

A Jane January 16, 2014 at 12:10 pm

This reminds me of a time a non-profit used a Google spreadsheet to have applicants sign up for an interview time. They gave everyone unlimited access, so not only could I see who else was applying, but I could also edit their contact information! Definitely did not go forward with the interview process.

Reply

Goofy posture January 16, 2014 at 1:12 pm

Yow!

Reply

A Bug! January 16, 2014 at 12:12 pm

Internet Detectiving aside, this is a terrible breach of privacy and I’d be very concerned with respect to potentially working for them.

That set-up is extremely sloppy work, and if the person who created it is involved with anything requiring confidentiality I’d run screaming in the other direction.

Unless I were an IT/web dev person, in which case I’d send them an e-mail regarding the job opening that must surely be impending.

Reply

EJ January 16, 2014 at 12:43 pm

+1 for seizing the inevitable opening in IT :)

Reply

S.K. January 16, 2014 at 12:43 pm

I would be even more concerned that the page is *still* up, hours later. (or even days later, depending when the OP wrote in). Making a mistake is one thing, but how does this not get fixed IMMEDIATELY?

Reply

fposte January 16, 2014 at 3:03 pm

My guess: it’s a bureaucratic organization, and the request is percolating through the system; I bet there’s also some confusion over how to make the site non-public but still accessible internally, too (especially if it’s supposed to be directly available to applicants), and the people who’ve heard about the exposure aren’t willing to take the risk.

Reply

Sydney Bristow January 16, 2014 at 12:19 pm

Oh my goodness! Personal information aside, now your boss could know you’re job hunting and where.

If it isn’t a mistake, which it has to be (right?), its so crazy that I’d remove myself from consideration and do whatever I could to get them to take my info down.

Reply

Jake January 16, 2014 at 12:20 pm

This doesn’t shock me that much. Especially if it is smaller company. I currently work for a company that posts all kinds of things on the website that would have been behind several layers of security when I worked for a fortune 500 company. A lot of this stuff is pretty confidential in the sense that the client always writes into their contract that these documents are for official use only. However, nobody at our company or client gets too uptight about it.

This is terrible, but I bet it happens far more than anybody realizes.

Reply

Poe January 17, 2014 at 4:11 am

I once applied for a job in a department at a university that dealt with a LOT of confidential data, and while Googling around for info on the department, I found a wiki they had set up that was publicly available. It contained screenshots from their database with names barely blurred out. I confess I used the wiki to obsessively study for my interview, though I also sent an anonymous note (via a “contact us” form) that this was available online and likely was not meant to be. Yes, I got the job.

Reply

Joey January 16, 2014 at 12:38 pm

Nice. I wonder if any of those candidates would actually accept if offered after seeing this. Somehow I think some would.

Reply

Gene January 16, 2014 at 12:39 pm

OMG! I thought it couldn’t get worse. I poked at the info for a bit and not only is all the contact info there, but the email addresses are clickable! That pretty much guarantees that the spammers have the applicants’ email addresses now. None of my webpages use the “mailto:” tag, it’s spammer bait.

Reply

ChristineSW January 16, 2014 at 12:42 pm

Wowwwwww!!

I’d definitely run, and fast!!

Reply

Jamie January 16, 2014 at 12:44 pm

I agree with everyone saying this has to be an error – they must have meant this to be available internally only and made it public facing.

But if it was a mistake I don’t get this part

There’s a section of their website labeled “Applications” in which you can search by type of position, then click on anyone’s name and see their cover letter

Did this look like the rest of the site? Was it formatted in the same design, etc? Because if I were to put confidential info on the website (and I wouldn’t, that’s what a secured intranet is for) I wouldn’t bother making it pretty – just bare bones functional.

If it was basic html or whatever I wouldn’t have any doubts regarding the error.

I hope no one who applied has bosses or nosy co-workers who google them for spite – this really sucks and the unprofessionalism just offends me.

Reply

V January 16, 2014 at 12:50 pm

This looks like the interface for the applicant tracking system InterviewExchange, actually. So perhaps it’s somehow been made public?

Reply

Jamie January 16, 2014 at 12:57 pm

That would make sense – so they probably didn’t know it was facing forward. Sloppy not malicious – damaging either way.

Reply

fposte January 16, 2014 at 3:15 pm

So when you get there from Google, are you getting the spammy filename in the URL? Do you know what kind of vulnerability they’d have to have in order for that to have been created?

Reply

Ruffingit January 16, 2014 at 12:50 pm

Super easy to find this site and wow, this is awful! I think someone should not only email, but also call and let them know about this. Call HR or someone.

Reply

Canadamber January 16, 2014 at 1:00 pm

I’ve been Googling too, and I just found it. I used this search term:

REDACTED (BY ALISON, FOR APPLICANTS’ PRIVACY — SINCE THE COMPANY HASN’T FIXED IT)

Reply

amaranth16 January 16, 2014 at 2:47 pm

My God, that locates it for me, too. I can’t believe Alison called an hour and a half ago and they still haven’t figured out how to take it down.

Reply

Windchime January 16, 2014 at 8:02 pm

Yeah, this worked for me too. I wonder if this comment should also be edited or removed. We don’t want to perpetuate the problem.

Reply

Anon January 17, 2014 at 9:45 am

This comment should probably be erased…

Reply

jj January 16, 2014 at 1:00 pm

This could Quite possibly be everyone’s worst nightmare!

Reply

Ask a Manager January 16, 2014 at 1:11 pm

I just called and talked to them. They didn’t know it was happening, it’s not supposed to be happening, they’re alarmed, and they’re going to figure out how to fix it.

Reply

Jamie January 16, 2014 at 1:16 pm

I hope they know to contact Google – Google has a process for clearing the info faster than it would organically fall off with just removing the page for when confidential information was inadvertently published.

I think it’s so awesome that you called. :)

Reply

Ask a Manager January 16, 2014 at 1:18 pm

The second minute of the conversation went like this:

“Who are you again?”

“I write an advice column and someone wrote to me about this.”

(confused silence)

I think people are not used to what was essentially “hi, I’m an advice columnist, and I have some advice for you!”

Reply

Sydney Bristow January 16, 2014 at 1:20 pm

I love this!

Reply

Jamie January 16, 2014 at 1:23 pm

I’m cracking up – that’s excellent!

Reply

Loose Seal January 16, 2014 at 1:24 pm

”hi, I’m an advice columnist, and I have some advice for you!”

This completely tickled my funny bone. Also, I think it’s very nice that you called to let them know.

Reply

You Can't Hide Online January 16, 2014 at 1:28 pm

That’s just awesome. Well done!

Reply

Catzie January 16, 2014 at 2:25 pm

That is hysterical. Imagine their dinner conversations tonight:

“So this advice columnist called me today…”

Reply

College Career Counselor January 16, 2014 at 2:27 pm

That put me in mind of this exchange from Police Squad:

“Who are you, and how did you get in here?”

“I’m a locksmith, and….I’m a locksmith.”

Reply

Windchime January 16, 2014 at 2:58 pm

I’m a little hurt and confused that you didn’t call me last week when I needed advice, Alison. Hah! :)

Reply

ThursdaysGeek January 16, 2014 at 4:13 pm

I always figure if those 1-900 psychics were any good, they’d call me.

Reply

Windchime January 16, 2014 at 8:03 pm

No kidding! I am waiting by my phone now……

Reply

Mephyle January 16, 2014 at 8:09 pm

There will need to be a whole new category for this one at the year-end “most _______ post” round-up!

And it’s about 6 hours later, and it’s still up, with all the applicant’s letters and clickable e-mails.

Reply

FRRibs January 16, 2014 at 9:56 pm

I can visualise this as a meme on one of those pseudo-50s E cards.

Reply

Elizabeth West January 16, 2014 at 1:33 pm

I think so too. Yay Alison!

Reply

PoohBear McGriddles January 16, 2014 at 1:44 pm

Maybe you just gained some additional readers there!

Reply

Anonicorn January 16, 2014 at 5:19 pm

Good on you. I hope they can fix it soon, as it’s quite late in the afternoon and I can still locate the site and see the applicant information.

Reply

Poe January 17, 2014 at 4:14 am

It is still up.

Reply

Zahra January 16, 2014 at 1:15 pm

Oops. it looks like they just got a rash of spammers on there too!

Reply

You Can't Hide Online January 16, 2014 at 1:26 pm

Not to invade privacy but – ok, well I guess that’s what you’d be doing, no way around it – this is potentially a great data set for you, Alison.

If someone took 30 minutes and copied down all the cover letters, you’d probably notice some amazing trends. How many simply don’t write one, the rarity of a truly well-written one, etc.

Couldn’t help but have that thought pop into my head when I saw this!

Reply

Ask a Manager January 16, 2014 at 1:27 pm

It’s true, but fortunately I get access to similar data sets just by doing hiring for clients (and previously for myself) so I’m going to pretend that I cannot see this one :)

Reply

You Can't Hide Online January 16, 2014 at 1:32 pm

Of course you do. D’oh.

That said, I will note that I made a few cursory clicks to verify I found the site being discussed here and, yeah, wow. Tons of cover letter-less applications and some, uh, very interesting email addresses.

My point to everyone here that’s not Alison – not that we didn’t already know this, but she’s 100% spot-on when it comes to the insanity that appears in application inboxes.

P.S. Way to be responsible and ethical and all that! :)

Reply

GH January 16, 2014 at 6:35 pm

Yeah, I clicked on a few out of curiousity too and was fascinated by the instantly clear difference between a good cover letter (“I have 10 years experience at doing “) and a wasted one (“I would like to give you a summary of my strengths, which I believe are a good fit for your needs. “) Obviously this breach is a bad thing but the examples are very educational.

Reply

GH January 17, 2014 at 6:28 pm

Ugh, I used angle brackets in my comment to set off some phrases and they were interpreted as code so my post is missing key phrases. Sorry everyone! The conversation has moved on appropriately so I won’t bother reconstructing the missing bits. You can go about your business.

Reply

Anon January 16, 2014 at 9:42 pm

I don’t understand people who write completely eloquent cover letters and then list their email address as (changing this spelling only slightly to protect the guy’s real email address) hog 4 christ at yahoo.com.

REALLY? You can’t take two seconds to come up with an email address that involves your name instead? (And, secondarily, you’re applying for a digital communications job and you’re using a YAHOO email addy? Not the biggest problem, though, I know.)

Reply

FRRibs January 16, 2014 at 10:12 pm

I think some folks look at their emails as an extension of their online identity and not as a t-shirt that can be changed to be appropriate for the venue (an outdated view of course).

I had a personal email address I carried from the beginning of hotmail (1997 or thereabouts); at the time I didn’t think of having multiple emails for different uses…which led to one interview where the fellow opposite me was more interested in the story of how I decided on closet_goth as an email address than in interviewing. Sadly I lost the password and wasn’t able to recover it from MS, so 15+ years of emails are just floating out there.

Reply

Anonymousss January 16, 2014 at 11:14 pm

The applicant with that email address ended up getting hired, if you take a look at their Staff page. While he did put effort into writing a cover letter (most applicants did not), it was sprinkled with grammatical errors and some poor word choice. For someone who indicated in the cover letter that he considered writing to be a strength of his, I would have been left scratching my head if I were the hiring manager. Still, he could have been their best applicant to choose from. (I did not see any other cover letters for that position.)

Reply

Jamie January 16, 2014 at 1:33 pm

Ethically you can’t do that – but the stats geek in me would love empirical data on this (overall – not this position.)

In my industry for entry level positions a cover letter of any kind is about 20%. 99%+ percent of those are form letters because they are applying through one of the employment agencies with whom we work and they are all the same. You might as well not even use one.

For every couple of hundred applicants we’ll get a handful of custom written cover letters. Less than 10. Of those about half are a cut and paste of the ‘objective’ section of their resume (which is another issue). So literally for every 200-300 applications/resumes sent in we’ll get 2-3 custom cover letters that are well written. Every one of those people gets a call back because they are such the purple squirrel.

Stats are much different for office jobs – but it goes to show even for factory work it really helps. It’s not necessary technically, because if you only hired those with good cover letters you’d have 6 people, but it helps so much I cannot even tell you.

Reply

You Can't Hide Online January 16, 2014 at 1:48 pm

Yeah, I’m not involved in hiring at all but stats like that always…

a) blow my mind, and
b) make me feel so much better when I’m taking the time to write said letters while applying for a job!

Reply

Felicia January 16, 2014 at 3:10 pm

Me too! I write custom cover letters for every position, so this makes me feel better about my chances.

Reply

GH January 16, 2014 at 6:37 pm

+1 and thank for sharing this.

Reply

Mochafrap512 January 16, 2014 at 2:22 pm

Allison, I sent you a FB message. I know you’re excited about the graphic and I have many questions. I personally will send you a question with a graphic, but please take down the one above.

Reply

Ask a Manager January 16, 2014 at 2:25 pm

I’m not currently somewhere where I can take it down right now but will when I’m able to. But more importantly, the company needs to take it down.

Reply

Mochafrap512 January 16, 2014 at 6:11 pm

It’s fine now because the company has taken it down- you’re awesome!

Reply

GH January 16, 2014 at 6:30 pm

Have they? It’s still there for me — both the version with the spammy url, and the truncated version.

Reply

fposte January 16, 2014 at 6:32 pm

Just to be clear–you’re saying they took your particular materials off, right? Because the site is still loading for me with candidate info.

(Weird that they’re taking individual info off but not making the site private.)

Reply

Anonymous January 16, 2014 at 7:30 pm

No they haven’t. I just looked it up based on another comment posted above and found it!

Reply

Mochafrap512 January 17, 2014 at 5:06 am

I see it now. This is scary because people’s personal addresses are available. It would be easy to “wipe out the competition.” I think the company needs a new IT person. Anyone else agree? Lol

Reply

Question-Asker January 16, 2014 at 2:29 pm

AAM, thank you for calling them! Interestingly, though, as soon as I came across this site (well over a week ago) I became quite concerned about my internet image since I’m in the midst of a job search. I frantically emailed 3 people at the company – the Communications / Web Specialist, the Workforce Development Manager, and the “Email Us” link at the bottom of the webpage – asking them to please remove my personal information from their public website. Within a day or so, my name and cover letter had been removed, but the site remained functional.

So, even if this was a programming mistake or otherwise unintentional, they really shouldn’t be acting “alarmed” and claiming that they didn’t know this was happening.

Reply

hilde January 16, 2014 at 2:39 pm

Operation Smile and now this company?! 2014 is starting off witha bang here on AAM.

Reply

Ask a Manager January 16, 2014 at 2:55 pm

Wow, yeah. Although I spoke with their receptionist and it’s possible that she just wasn’t in the loop but someone else was on it.

… Except that not really because if they knew of the issue enough to take yours down before today, they should have taken the rest down too.

Reply

fposte January 16, 2014 at 3:08 pm

I’m wondering if there hasn’t been an additional complication. When I get there off of a Google search, the URL displays an additional and *very* spammy subdirectory filename that’s highly unlikely to be original. (If I take the spammy subdirectory filename off, I get the same document, so it’s still public, unfortunately.)

I don’t know what you’d have to be able to do to spamjack a filename, but it looks like it’s been done.

Reply

Confused January 16, 2014 at 4:34 pm

It’s about 1:30 (west coast) and it’s still up :(

Reply

Jessica (tc) January 16, 2014 at 11:08 pm

Ouch, yeah. This makes it even worse in my mind…and it’s still up. :(

The fact that the search bar is bringing up applicant information from the main screen is doubly concerning. I hope they take your call seriously, Alison!

Reply

hamster January 16, 2014 at 2:40 pm

Aand it is still up :(

Reply

Jubilance January 16, 2014 at 3:04 pm

Wow and it’s still up, I just found it. I truly hope they are taking this seriously and not just giving it lip service. Maybe if someone tipped Gawker to this, they’d take it down faster.

Reply

Kerr January 16, 2014 at 4:37 pm

Still up for me, too. Wow. In this case, I would *not* contact Gawker. The applicants’ info is still up, and IMHO their privacy should be considered paramount, not shaming the company while all of that info is still floating around. Yeah, the barn door has been open for a while, but it hasn’t been publicized until now. If I were one of those applicants, I would be angry with the company for letting it happen, but doubly angry with someone who thought it was their “duty” to blast that data to even more potentially skeevy corners of the Internet.

Reply

Kerr January 16, 2014 at 4:39 pm

In addition, I imagine that a number of people might start poking around to see what other vulnerabilities they could find, while an evidently slow-moving, non-tech savvy organization is left scrambling. Obviously, they need someone to do a lot more checking and barn-door-closing, but probably not this way.

Reply

fposte January 16, 2014 at 4:47 pm

Somebody’s already found the vulnerabilities, I think.

Reply

Kerr January 16, 2014 at 4:58 pm

Well, yes. I’d just hate for malicious types to poke around and find more.

Reply

fposte January 16, 2014 at 3:54 pm

Oh, holy cow. I put the base domain and job apps directory into Google and there’s massive spam being generated off of that URL, and it looks like that’s been the case for several months. They’ve left a big hole open somewhere, and I’d say the exposure of the candidates’ info may not be their biggest problem.

Reply

Anonymous January 16, 2014 at 4:26 pm

Can you find who hosts the site? And maybe shoot off an email to the host provider?

Reply

fposte January 16, 2014 at 4:46 pm

I sent a note to the tech contact on the whois entry. Dunno how up to date it is.

Reply

Anon January 16, 2014 at 6:45 pm

Looks like the whole site is poorly done. Using the search box on the sites home page resulted in people’s applications when I used words appearing in the applications… even applicant names.

Reply

fposte January 16, 2014 at 7:04 pm

Oh, yikes, you’re totally right. Wow.

Reply

Toto in Kansas January 16, 2014 at 7:11 pm

It’s still up.

Reply

Wren January 16, 2014 at 7:48 pm

what the F!!!! it is still up. unbelievable.

Reply

pws January 16, 2014 at 7:51 pm

Yep, still there :\.

Reply

Abby January 16, 2014 at 9:14 pm

And it’s stillllll up. I wonder who is working to fix this?

Reply

SamV January 16, 2014 at 10:02 pm

Still up. At this point DDoSing it looks like it would be a community service.

Reply

fposte January 16, 2014 at 10:22 pm

Except for the fact that people on there really are trying to get a job and need the users to see their materials, so it would be really nasty to them. And people who set up a site like this aren’t going to be feverishly working through the night to fix things–I’ll be a little surprised if it changes any time soon, to be honest.

Reply

PGH January 16, 2014 at 10:40 pm

It’s still up, as of 10:40 pm. And an earlier Google cached page for this particular post on AAM is also still up, which is how I was able to find the URL to search for and access the website.

I’m not sure if one of the applicants in the database they ended up hiring (found via About >> Staff) is in charge of this, but the last entry in the database does long predate this person’s application.

Reply

Kat January 16, 2014 at 11:15 pm

Still up at 11:14 EST

Reply

Poe January 17, 2014 at 4:21 am

Is anyone else really freaked out that this is a healthcare organization with information security issues?

Reply

Mochafrap512 January 17, 2014 at 5:08 am

I think they should ask Alison for advice on how to get a new IT person, but in all seriousness this is dangerous. Personal addresses appear to be listed for some of them. It would be easy for someone (insane, obviously) to “wipe out the competition.”

Reply

fposte January 17, 2014 at 9:42 am

Sure, but people’s names and addresses are also available in whitepages.com, so I really don’t agree that this is dangerous. Tthere’s a reason why what they’re doing isn’t illegal, after all–there’s been no judgment that it needs to be. The likeliest risk if if people haven’t told their current job they’re searching and they get found out–or that people with a really good cover letter will get copied.

Reply

Anon January 17, 2014 at 9:57 am

If their cover letter is on display, what makes you think that their other information isn’t easily hackable? If this is being shown, I can bet you there are other vulnerabilities.

Reply

fposte January 17, 2014 at 10:34 am

Because you don’t need to hack to get the information that’s on display. You just need to look. What makes you think an organization this clueless would have managed to hide the rest of the information if it were in the same system?

Reply

You Can't Hide Online January 17, 2014 at 4:07 pm

Per another comment upthread, they actually *have* hired someone in IT – someone whose information is still available on the application site. Oof.

Reply

Gem January 17, 2014 at 7:23 am

Still up! Plenty of spam but still can see all the details. This is ridiculous!

Reply

Random Reader January 17, 2014 at 8:37 am

Still up! AAM, the comment further up with the dates brings it straight up for me. Curious as I was to see it, that does rather thwart all the attempts to maintain anonymity.

Reply

Longtime Lurker January 17, 2014 at 10:20 am

AAM, please do remove the post above (by Canadamber) containing search terms. It’s just adding insult to injury for those job applicants.

Reply

fposte January 17, 2014 at 10:35 am

If that’s going to happen, PGH’s post providing alternative finding guidance should probably also go.

Reply

Canadamber January 17, 2014 at 11:08 pm

Yeah I was gonna chime in about my post, but I’m glad to see that it’s been dealt with already. Thanks, Alison! :)

Reply

EntirelyOutThere January 17, 2014 at 11:22 am

Additionally people can search by job title for what positions applicants are applying for specifically. (Ironically no applications for IT!)

Reply

Trixie January 17, 2014 at 6:08 pm

It looks like it’s been fixed at last.

Reply

Anon January 17, 2014 at 6:32 pm

^^ Search still returns people’s applications.

Reply

Trixie January 17, 2014 at 8:13 pm

Probably search engine caching. If the admins of the site want to do a thorough job of removing the info, they’ll need to contact the search engines and get them to remove the info from their caches. They may have already done so, but it takes time to complete.

Reply

fposte January 18, 2014 at 12:58 pm

Direct URL gets the same result as always for me, even if my cache is cleared.

Reply

EntirelyOutThere January 17, 2014 at 9:29 pm

Not sure where you’re getting it is fixed? I go to the direct link and it still displays the old information without searching.

Reply

fposte January 21, 2014 at 11:03 pm

And the site’s been updated–but only to remove the spam influx of January. All the job info has been helpfully left up, and the spam subdirectories are still active.

Reply

fposte April 22, 2014 at 12:04 am

Belated update–I happened on this thread again and checked, the site has finally blocked external access.

Reply

Leave a Comment

You can find the site's commenting guidelines here.

Previous post:

Next post: